Taking the trial and error out of ysoserial
A new tool developed by researchers at Bishop Fox aims to reduce the frustration of exploiting Java deserialization bugs – a dangerous and often underrated class of security vulnerabilities found in Java web applications.
Named GadgetProbe, the tool makes it easier to exploit deserialization bugs by automating the trial-and-error effort required to find potentially vulnerable Java libraries used in remote applications.
What is serialization and deserialization?
‘Serialization’ – also called ‘marshalling’ – is a feature found in many programming languages, where an in-memory object is transformed into a stream of bytes for storage on disk or transfer to a remote application.
The opposite operation, ‘deserialization’, refers to the extraction of a data structure from this stream of bytes.
Deserialization is widely used in many web applications and services. Use cases include the transferring and storing of data, the distribution of objects, or executing remote procedure calls.
Why deserialization can be dangerous
Unfortunately, not all forms of deserialization are safe, and it is up to the applications’ programmers to implement safeguards against misuse.
Hackers can insert malicious payloads into serialized objects to exploit vulnerabilities in deserialization implementations.
An unhandled deserialization bug can lead to remote code execution – one of the most dangerous types of cyber-attacks.
Deserialization vulnerabilities were first brought to attention by security researchers Chris Frohoff and Gabriel Lawrence at AppSec California 2015 in a presentation titled ‘Marshalling Pickles’.
The pair demonstrated proof-of-concept code for exploiting Java object deserialization vulnerabilities.
GadgetProbe: Deserialization exploits made easy
Along with their presentation at AppSec California, Frohoff and Lawrence released ‘ysoserial’ – a collection of utilities that can, under the right conditions, exploit applications that perform unsafe Java deserialization.
Since its launch, ysoserial has become the main tool for exploiting deserialization vulnerabilities, providing a collection of known, high-impact gadget chains present in popular Java libraries.
However, without knowledge of what libraries and versions the remote software is using, security researchers are left to guess and perform a lot of manual trial and error.
GadgetProbe can determine whether or not a specified library is present in the remote software, as well as detect the version of a library. It uses a specially crafted object that can answer true or false questions, by signaling over DNS.
The tool uses a wordlist of Java library class names to brute-force libraries and versions available in the remote class path. GadgetProbe is designed as both a Java library and as an extension for Burp Suite.
“I recently found unsafe deserialization in a proprietary binary protocol, and I was easily able to use the GadgetProbe library to brute-force Java classes over the protocol,” Jake Miller, security associate at Bishop Fox and lead researcher for GadgetProbe, told The Daily Swig.
GadgetProbe has been designed as both a Java library and a Burp Suite extension
GadgetProbe ties in with other deserialization vulnerability discovery tools, such as Gadget Inspector.
“Given a list of libraries, GadgetInspector will automatically discover new gadget chains,” said Miller.
“By feeding the information from GadgetProbe into GadgetInspector, you will be able to develop custom gadget chains unique to the specific set of libraries present in the application you are testing.”
He added: “You won’t be stuck with known exploits – with these two tools you can generate your own for a particular application.”
Since its launch this month, GadgetProbe has received positive feedback from the security community.
“Demonstrating the impact of vulnerabilities is a key part of penetration testing,” Miller says.
“This tool empowers bounty hunters to retrieve higher paying bounties, consultants to demonstrate higher impact to their clients, and researchers to provide more reliable exploits.”